{"html_url": "https://github.com/simonw/datasette/issues/1855#issuecomment-1347761892", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1855", "id": 1347761892, "node_id": "IC_kwDOBm6k_c5QVTbk", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T05:14:25Z", "updated_at": "2022-12-13T05:14:25Z", "author_association": "OWNER", "body": "New documentation: https://docs.datasette.io/en/latest/authentication.html#restricting-the-actions-that-a-token-can-perform", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1423336089, "label": "`datasette create-token` ability to create tokens with a reduced set of permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1855#issuecomment-1347759522", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1855", "id": 1347759522, "node_id": "IC_kwDOBm6k_c5QVS2i", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T05:11:43Z", "updated_at": "2022-12-13T05:11:43Z", "author_association": "OWNER", "body": "Decided to do the `/-/create-token` UI in a separate ticket:\r\n- #1947", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1423336089, "label": "`datasette create-token` ability to create tokens with a reduced set of permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1855#issuecomment-1347731288", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1855", "id": 1347731288, "node_id": "IC_kwDOBm6k_c5QVL9Y", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T04:24:50Z", "updated_at": "2022-12-13T04:24:50Z", "author_association": "OWNER", "body": "For the tests for `datasette create-token` it would be useful if `datasette --get` had a mechanism for sending an `Authorization: Bearer X` header.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1423336089, "label": "`datasette create-token` ability to create tokens with a reduced set of permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1855#issuecomment-1347726302", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1855", "id": 1347726302, "node_id": "IC_kwDOBm6k_c5QVKve", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T04:16:26Z", "updated_at": "2022-12-13T04:16:26Z", "author_association": "OWNER", "body": "I'm going to move this code into `datasette/cli.py` - it's a bit unexpected having it live in `default_permissions.py` like this (I couldn't find the code when I went looking for it earlier).", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1423336089, "label": "`datasette create-token` ability to create tokens with a reduced set of permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1855#issuecomment-1347707683", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1855", "id": 1347707683, "node_id": "IC_kwDOBm6k_c5QVGMj", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T03:55:35Z", "updated_at": "2022-12-13T04:15:27Z", "author_association": "OWNER", "body": "Help looks like this:\r\n\r\n```\r\nUsage: datasette create-token [OPTIONS] ID\r\n\r\n  Create a signed API token for the specified actor ID\r\n\r\n  Example:\r\n\r\n      datasette create-token root --secret mysecret\r\n\r\n  To only allow create-table:\r\n\r\n      datasette create-token root --secret mysecret \\\r\n          --all create-table\r\n\r\n  Or to only allow insert-row against a specific table:\r\n\r\n      datasette create-token root --secret myscret \\\r\n          --resource mydb mytable insert-row\r\n\r\n  Restricted actions can be specified multiple times using multiple --all,\r\n  --database, and --resource options.\r\n\r\n  Add --debug to see a decoded version of the token.\r\n\r\nOptions:\r\n  --secret TEXT                   Secret used for signing the API tokens\r\n                                  [required]\r\n  -e, --expires-after INTEGER     Token should expire after this many seconds\r\n  -a, --all ACTION                Restrict token to this action\r\n  -d, --database DB ACTION        Restrict token to this action on this\r\n                                  database\r\n  -r, --resource DB RESOURCE ACTION\r\n                                  Restrict token to this action on this\r\n                                  database resource (a table, SQL view or\r\n                                  named query)\r\n  --debug                         Show decoded token\r\n  --plugins-dir DIRECTORY         Path to directory containing custom plugins\r\n  --help                          Show this message and exit.\r\n```", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1423336089, "label": "`datasette create-token` ability to create tokens with a reduced set of permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1855#issuecomment-1347695728", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1855", "id": 1347695728, "node_id": "IC_kwDOBm6k_c5QVDRw", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T03:30:09Z", "updated_at": "2022-12-13T03:30:09Z", "author_association": "OWNER", "body": "I just noticed this in the existing code:\r\n\r\nhttps://github.com/simonw/datasette/blob/c5d30b58a1cd1c66bbddcf3561db005543ecaf25/datasette/default_permissions.py#L195-L203\r\n\r\nHard-coding those action names should not be necessary any more, especially now we have `datasette.permissions` for looking up metadata about the permissions.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1423336089, "label": "`datasette create-token` ability to create tokens with a reduced set of permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1855#issuecomment-1347694871", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1855", "id": 1347694871, "node_id": "IC_kwDOBm6k_c5QVDEX", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T03:28:15Z", "updated_at": "2022-12-13T03:28:15Z", "author_association": "OWNER", "body": "Initial prototype of the `create-token` command changes:\r\n\r\n```diff\r\ndiff --git a/datasette/default_permissions.py b/datasette/default_permissions.py\r\nindex 406dae40..bbe1247e 100644\r\n--- a/datasette/default_permissions.py\r\n+++ b/datasette/default_permissions.py\r\n@@ -278,17 +278,55 @@ def register_commands(cli):\r\n         help=\"Token should expire after this many seconds\",\r\n         type=int,\r\n     )\r\n+    @click.option(\r\n+        \"alls\",\r\n+        \"-a\",\r\n+        \"--all\",\r\n+        type=str,\r\n+        multiple=True,\r\n+        help=\"Restrict token to this permission\",\r\n+    )\r\n+    @click.option(\r\n+        \"databases\",\r\n+        \"-d\",\r\n+        \"--database\",\r\n+        type=(str, str),\r\n+        multiple=True,\r\n+        help=\"Restrict token to this permission on this database\",\r\n+    )\r\n+    @click.option(\r\n+        \"resources\",\r\n+        \"-r\",\r\n+        \"--resource\",\r\n+        type=(str, str, str),\r\n+        multiple=True,\r\n+        help=\"Restrict token to this permission on this database resource (a table, SQL view or named query)\",\r\n+    )\r\n     @click.option(\r\n         \"--debug\",\r\n         help=\"Show decoded token\",\r\n         is_flag=True,\r\n     )\r\n-    def create_token(id, secret, expires_after, debug):\r\n+    def create_token(id, secret, expires_after, alls, databases, resources, debug):\r\n         \"Create a signed API token for the specified actor ID\"\r\n         ds = Datasette(secret=secret)\r\n         bits = {\"a\": id, \"token\": \"dstok\", \"t\": int(time.time())}\r\n         if expires_after:\r\n             bits[\"d\"] = expires_after\r\n+        if alls or databases or resources:\r\n+            bits[\"_r\"] = {}\r\n+            if alls:\r\n+                bits[\"_r\"][\"a\"] = list(alls)\r\n+            if databases:\r\n+                bits[\"_r\"][\"d\"] = {}\r\n+                for database, action in databases:\r\n+                    bits[\"_r\"][\"d\"].setdefault(database, []).append(action)\r\n+            if resources:\r\n+                bits[\"_r\"][\"r\"] = {}\r\n+                for database, table, action in resources:\r\n+                    bits[\"_r\"][\"r\"].setdefault(database, {}).setdefault(\r\n+                        table, []\r\n+                    ).append(action)\r\n         token = ds.sign(bits, namespace=\"token\")\r\n         click.echo(\"dstok_{}\".format(token))\r\n         if debug:\r\n```\r\nStill needs tests, plus I'd like it to use abbreviations if available to keep the token length shorter.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1423336089, "label": "`datasette create-token` ability to create tokens with a reduced set of permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1855#issuecomment-1347693620", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1855", "id": 1347693620, "node_id": "IC_kwDOBm6k_c5QVCw0", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T03:25:41Z", "updated_at": "2022-12-13T03:25:41Z", "author_association": "OWNER", "body": "I'm going to rename \"t\" in the magic format to \"r\" for resource.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1423336089, "label": "`datasette create-token` ability to create tokens with a reduced set of permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1855#issuecomment-1347675456", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1855", "id": 1347675456, "node_id": "IC_kwDOBm6k_c5QU-VA", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T02:57:46Z", "updated_at": "2022-12-13T02:57:46Z", "author_association": "OWNER", "body": "I was going to have the CLI command throw an error if you attempt to use a permission that isn't registered with Datasette, but then I remembered that one of the uses for the CLI tool is to create signed tokens that will work against other Datasette instances (via the `--secret` option) that might have different plugins installed that register different permission names.\r\n\r\nSo I might have it output warnings instead.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1423336089, "label": "`datasette create-token` ability to create tokens with a reduced set of permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1855#issuecomment-1313148519", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1855", "id": 1313148519, "node_id": "IC_kwDOBm6k_c5ORQ5n", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-11-14T06:13:43Z", "updated_at": "2022-12-13T02:46:51Z", "author_association": "OWNER", "body": "The `datasette create-token` command will need to be able to do this too.\r\n\r\nRight now that command looks like this:\r\n```\r\n% datasette create-token --help\r\nUsage: datasette create-token [OPTIONS] ID\r\n\r\n  Create a signed API token for the specified actor ID\r\n\r\nOptions:\r\n  --secret TEXT                Secret used for signing the API tokens\r\n                               [required]\r\n  -e, --expires-after INTEGER  Token should expire after this many seconds\r\n  --debug                      Show decoded token\r\n  --help                       Show this message and exit.\r\n```\r\n```\r\n% datasette create-token root --secret sec --debug -e 445\r\ndstok_eyJhIjoicm9vdCIsInRva2VuIjoiZHN0b2siLCJ0IjoxNjY4NDA2MjEzLCJkIjo0NDV9.Hd6qRli6xRKkOIRQgZkPO5iN1wM\r\n\r\nDecoded:\r\n\r\n{\r\n  \"a\": \"root\",\r\n  \"token\": \"dstok\",\r\n  \"t\": 1668406213,\r\n  \"d\": 445\r\n}\r\n```\r\n(The `--debug` bit adds the decoded token.)\r\n\r\nSyntax for adding \"insert row\" for everything, \"update row\" for all in the \"data\" database and \"delete row\" just for the docs / titles table:\r\n```\r\ndatasette create-token root --secret sec \\\r\n  --all insert-row \\\r\n  --database data update-row \\\r\n  --table docs titles delete-row\r\n```\r\nThe `ir` / `ur` / `dr` options would work too. To add multiple permissions use these options multiple times:\r\n```\r\ndatasette create-token root --secret sec \\\r\n  --all insert-row \\\r\n  --all delete-row\r\n```\r\nShort versions: `-a` and `-d` and `-t`.\r\n\r\nUPDATE: I have decided to use the term `resource` in the user-facing elements of this feature instead of `table`, since that can refer to a SQL view and a canned query as well.\r\n\r\nSo `--resource` and `-r`, not `-t`.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1423336089, "label": "`datasette create-token` ability to create tokens with a reduced set of permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1855#issuecomment-1347669087", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1855", "id": 1347669087, "node_id": "IC_kwDOBm6k_c5QU8xf", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T02:45:15Z", "updated_at": "2022-12-13T02:45:15Z", "author_association": "OWNER", "body": "The hardest piece here is the UI. I'm going to implement the CLI command first.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1423336089, "label": "`datasette create-token` ability to create tokens with a reduced set of permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1855#issuecomment-1339952692", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1855", "id": 1339952692, "node_id": "IC_kwDOBm6k_c5P3g40", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-06T20:15:50Z", "updated_at": "2022-12-06T20:16:00Z", "author_association": "OWNER", "body": "That commit there https://github.com/simonw/datasette/commit/6da17d5529773dfe41b53ed4ce5a6ecb46ed2457 (which will be squash-merged in a PR later on) made it so that `_r` was correctly copied across from the token to the created actor, and fixed a bug in the code that checks permissions against it for resources.\r\n\r\nI needed that mechanism to write a test that exercised different API permissions.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1423336089, "label": "`datasette create-token` ability to create tokens with a reduced set of permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1855#issuecomment-1302815929", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1855", "id": 1302815929, "node_id": "IC_kwDOBm6k_c5Np2S5", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-11-04T00:19:10Z", "updated_at": "2022-12-03T07:05:51Z", "author_association": "OWNER", "body": "Added the tests.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1423336089, "label": "`datasette create-token` ability to create tokens with a reduced set of permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1855#issuecomment-1301646670", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1855", "id": 1301646670, "node_id": "IC_kwDOBm6k_c5NlY1O", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-11-03T05:11:26Z", "updated_at": "2022-11-03T05:11:26Z", "author_association": "OWNER", "body": "That still needs comprehensive tests before I land it.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1423336089, "label": "`datasette create-token` ability to create tokens with a reduced set of permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1855#issuecomment-1301646493", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1855", "id": 1301646493, "node_id": "IC_kwDOBm6k_c5NlYyd", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-11-03T05:11:06Z", "updated_at": "2022-11-03T05:11:06Z", "author_association": "OWNER", "body": "Built a prototype of the above:\r\n\r\n```diff\r\ndiff --git a/datasette/default_permissions.py b/datasette/default_permissions.py\r\nindex 32b0c758..f68aa38f 100644\r\n--- a/datasette/default_permissions.py\r\n+++ b/datasette/default_permissions.py\r\n@@ -6,8 +6,8 @@ import json\r\n import time\r\n \r\n \r\n-@hookimpl(tryfirst=True)\r\n-def permission_allowed(datasette, actor, action, resource):\r\n+@hookimpl(tryfirst=True, specname=\"permission_allowed\")\r\n+def permission_allowed_default(datasette, actor, action, resource):\r\n     async def inner():\r\n         if action in (\r\n             \"permissions-debug\",\r\n@@ -57,6 +57,44 @@ def permission_allowed(datasette, actor, action, resource):\r\n     return inner\r\n \r\n \r\n+@hookimpl(specname=\"permission_allowed\")\r\n+def permission_allowed_actor_restrictions(actor, action, resource):\r\n+    if actor is None:\r\n+        return None\r\n+    _r = actor.get(\"_r\")\r\n+    if not _r:\r\n+        # No restrictions, so we have no opinion\r\n+        return None\r\n+    action_initials = \"\".join([word[0] for word in action.split(\"-\")])\r\n+    # If _r is defined then we use those to further restrict the actor\r\n+    # Crucially, we only use this to say NO (return False) - we never\r\n+    # use it to return YES (True) because that might over-ride other\r\n+    # restrictions placed on this actor\r\n+    all_allowed = _r.get(\"a\")\r\n+    if all_allowed is not None:\r\n+        assert isinstance(all_allowed, list)\r\n+        if action_initials in all_allowed:\r\n+            return None\r\n+    # How about for the current database?\r\n+    if action in (\"view-database\", \"view-database-download\", \"execute-sql\"):\r\n+        database_allowed = _r.get(\"d\", {}).get(resource)\r\n+        if database_allowed is not None:\r\n+            assert isinstance(database_allowed, list)\r\n+            if action_initials in database_allowed:\r\n+                return None\r\n+    # Or the current table? That's any time the resource is (database, table)\r\n+    if not isinstance(resource, str) and len(resource) == 2:\r\n+        database, table = resource\r\n+        table_allowed = _r.get(\"t\", {}).get(database, {}).get(table)\r\n+        # TODO: What should this do for canned queries?\r\n+        if table_allowed is not None:\r\n+            assert isinstance(table_allowed, list)\r\n+            if action_initials in table_allowed:\r\n+                return None\r\n+    # This action is not specifically allowed, so reject it\r\n+    return False\r\n+\r\n+\r\n @hookimpl\r\n def actor_from_request(datasette, request):\r\n     prefix = \"dstok_\"\r\n\r\n```", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1423336089, "label": "`datasette create-token` ability to create tokens with a reduced set of permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1855#issuecomment-1301594495", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1855", "id": 1301594495, "node_id": "IC_kwDOBm6k_c5NlMF_", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-11-03T03:11:17Z", "updated_at": "2022-11-03T03:11:17Z", "author_association": "OWNER", "body": "Maybe the way to do this is through a new standard mechanism on the actor: a set of additional restrictions, e.g.:\r\n\r\n```\r\n{\r\n  \"id\": \"root\",\r\n  \"_r\": {\r\n    \"a\": [\"ir\", \"ur\", \"dr\"],\r\n    \"d\": {\r\n        \"fixtures\": [\"ir\", \"ur\", \"dr\"]\r\n    },\r\n    \"t\": {\r\n        \"fixtures\": {\r\n            \"searchable\": [\"ir\"]\r\n        }\r\n    }\r\n}\r\n```\r\n`\"a\"` is \"all permissions\" - these apply to everything.\r\n`\"d\"` permissions only apply to the specified database\r\n`\"t\"` permissions only apply to the specified table\r\n\r\nThe way this works is there's a default [permission_allowed(datasette, actor, action, resource)](https://docs.datasette.io/en/stable/plugin_hooks.html#id25) hook which only consults these, and crucially just says NO if those rules do not match.\r\n\r\nIn this way it would apply as an extra layer of permission rules over the defaults (which for this `root` instance would all return yes).", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1423336089, "label": "`datasette create-token` ability to create tokens with a reduced set of permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1855#issuecomment-1292962813", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1855", "id": 1292962813, "node_id": "IC_kwDOBm6k_c5NEQv9", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-10-27T04:31:40Z", "updated_at": "2022-10-27T04:31:40Z", "author_association": "OWNER", "body": "My hunch on this is that anyone with that level of complex permissions requirements needs to be using a custom authentication plugin which includes much more concrete token rules, rather than the default signed stateless token implementation that ships with Datasette core.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1423336089, "label": "`datasette create-token` ability to create tokens with a reduced set of permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1855#issuecomment-1292959886", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1855", "id": 1292959886, "node_id": "IC_kwDOBm6k_c5NEQCO", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-10-27T04:30:07Z", "updated_at": "2022-10-27T04:30:07Z", "author_association": "OWNER", "body": "Here's an interesting edge-case to consider: what if a user creates themselves a token for a specific table, then deletes that table, and waits for another user to create a table of the same name... and then uses their previously created token to write to the table that someone else created?\r\n\r\nNot sure if this is a threat I need to actively consider, but it's worth thinking a little bit about the implications of such a thing - since there will be APIs that allow users to create tables, and there may be cases where people want to have a concept of users \"owning\" specific tables.\r\n\r\nThis is probably something that could be left for plugins to solve, but it still needs to be understood and potentially documented.\r\n\r\nThere may even be a world in which tracking the timestamp at which a table was created becomes useful - because that could then be baked into API tokens, such that a token created BEFORE the table was created does not grant access to that table.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1423336089, "label": "`datasette create-token` ability to create tokens with a reduced set of permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1855#issuecomment-1291485444", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1855", "id": 1291485444, "node_id": "IC_kwDOBm6k_c5M-oEE", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-10-26T04:30:34Z", "updated_at": "2022-10-26T04:30:34Z", "author_association": "OWNER", "body": "I'm going to delay working on this until after I have some of the write APIs built to try it against:\r\n- #1851", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1423336089, "label": "`datasette create-token` ability to create tokens with a reduced set of permissions"}, "performed_via_github_app": null}